A privilege escalation flaw in Windows Cloud Files Mini Filter Driver has been discovered, allowing local attackers to bypass file write protections and inject malicious code into system processes.
Security researchers have uncovered CVE-2025-55680, a high-severity privilege-escalation vulnerability in the Windows Cloud Files Mini Filter Driver.
The flaw exists in the Cloud Files Filter (cldsync.sys) driver’s handling of file path validation during placeholder file creation operations.
Specifically, the vulnerability resides in the call chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.
Microsoft previously patched a similar file write vulnerability reported by Project Zero in 2020. However, the current implementation contains a critical logical flaw.
While Microsoft added code to prevent backslash ($$ and colon (:)) characters in file paths from being used to block symbolic link attacks, the validation check can be bypassed through a Time-of-Check Time-of-Use (TOCTOU) race condition.
Attackers can modify the path string in kernel memory between the validation check and the actual file operation, allowing malicious paths to pass through security controls.
How the Exploit Works
The exploitation technique requires multiple coordinated steps. First, attackers start the Remote Access Service (rasman) and create a cloud file sync root using the Cloud Files API.
Next, they connect to the Cloud Files Filter driver through DeviceIoControl calls and establish a communication port with the filter manager.
The attacker then creates a thread that continuously modifies a path string in kernel memory, changing it from an innocent filename to a symbolic link pointing to system directories like C:WindowsSystem32.
While one thread performs file-creation operations, another thread rapidly modifies the memory location, exploiting the race condition window between the security check and file creation.
| CVE ID | Vulnerability Type | Affected Component | CVSS Score |
|---|---|---|---|
| CVE-2025-55680 | Privilege Escalation | Windows Cloud Files Mini Filter Driver (cldsync.sys) | 7.8 |
When the timing aligns perfectly, the driver creates files with elevated kernel-mode access privileges, bypassing standard access controls.
Attackers weaponize this by writing malicious DLLs, such as rasmxs.dll, into protected system directories. Leveraging RPC calls to force privileged services to load the compromised library, resulting in complete system compromise, as reported by ssd-disclosure.
This vulnerability represents a serious privilege escalation risk for Windows systems. The attack requires local system access but delivers complete privilege escalation capabilities.
Any authenticated user can potentially exploit this flaw to gain SYSTEM-level privileges and maintain persistence through legitimate system processes.
Organizations running vulnerable Windows versions should prioritize patching immediately, as the exploitation technique is straightforward and reliable.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
